aquasecurity/trivy

Stars
21,297
Rank 1,084 (Top 0.03 %)
Language
Go
License
Apache License 2.0
Created about 5 years ago
Updated 5 days ago

aquasecurity/trivy

aquasecurity

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

📖 Documentation

Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

Container Image
Filesystem
Git Repository (remote)
Virtual Machine Image
Kubernetes
AWS

Scanners (what Trivy can find there):

OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses

To learn more, go to the Trivy homepage for feature highlights, or to the Documentation site for detailed information.

Quick Start

Get Trivy

Trivy is available in most common distribution channels. The full list of installation options is available in the Installation page. Here are a few popular examples:

brew install trivy
docker run aquasec/trivy
Download binary from https://github.com/aquasecurity/trivy/releases/latest/
See Installation for more

Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the Ecosystem page. Here are a few popular examples:

Canary builds

There are canary builds (Docker Hub, GitHub, ECR images and binaries) as generated every push to main branch.

Please be aware: canary builds might have critical bugs, it's not recommended for use in production.

General usage

trivy <target> [--scanners <scanner1,scanner2>] <subject>

Examples:

trivy image python:3.4-alpine

Result

trivy-image.mov

trivy fs --scanners vuln,secret,config myproject/

Result

trivy-fs.mov

trivy k8s --report summary cluster

Result

FAQ

How to pronounce the name "Trivy"?

tri is pronounced like trigger, vy is pronounced like envy.

Community

Trivy is an Aqua Security open source project.
Learn about our open source work and portfolio here.
Contact us about any matter by opening a GitHub Discussion here Join our Slack community to stay up to date with community efforts.

Please ensure to abide by our Code of Conduct during all interactions.

tfsec

Security scanner for your Terraform code

kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

kube-hunter

Hunt for security weaknesses in Kubernetes clusters

tracee

Linux Runtime Security and Forensics using eBPF

cloudsploit

Cloud Security Posture Management (CSPM)

starboard

Moved to https://github.com/aquasecurity/trivy-operator

trivy-operator

Kubernetes-native security toolkit

microscanner

Scan your container images for package vulnerabilities with Aqua Security

kubectl-who-can

Show who has RBAC permissions to perform actions on different resources in Kubernetes

chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.

trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities

cloud-security-remediation-guides

Security Remediation Guides

libbpfgo

eBPF library for Go. Powered by libbpf.

vuln-list

NVD, Ubuntu, Alpine

btfhub

BTFhub, in collaboration with the BTFhub Archive repository, supplies BTF files for all published kernels that lack native support for embedded BTF. This joint effort ensures that even kernels without built-in BTF support can effectively leverage the benefits of eBPF programs, promoting compatibility across various kernel versions.

esquery

An idiomatic Go query builder for ElasticSearch

kube-query

[EXPERIMENTAL] Extend osquery to report on Kubernetes

defsec

Trivy's misconfiguration scanning engine

trivy-db

fanal

Static Analysis Library for Containers

postee

Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.

harbor-scanner-trivy

Use Trivy as a plug-in vulnerability scanner in the Harbor registry

docker-bench

Checks whether Docker is deployed according to security best practices as defined in the CIS Docker Benchmark

cloudsec-icons

A collection of cloud security icons ☁️🔒

manifesto

Use Manifesto to store and query metadata for container images.

vuln-list-update

tfsec-pr-commenter-action

Add comments to pull requests where tfsec checks have failed

linux-bench

Checks whether a Linux server according to security best practices as defined in the CIS Distribution-Independent Linux Benchmark

go-dep-parser

Dependency Parser for Multiple Programming Languages

lmdrouter

Go HTTP router library for AWS API Gateway-invoked Lambda Functions

appshield

Security configuration checks for popular cloud native applications and infrastructure.

Open Policy Agent

starboard-lens-extension

Lens extension for viewing Starboard security information

trivy-vscode-extension

A VS Code Extension for Trivy

aqua-helm

Helm Charts For Installing Aqua Security Components

btfhub-archive

The BTFhub Archive repository provides BTF files for those published kernels that lack native support for embedded BTF, thereby enhancing the versatility of eBPF programs across different kernel versions.

table

🧮 Tables for terminals, in Go.

tracee-action

Protect GitHub Actions with Tracee

Open Policy Agent

cfsec

Static analysis for CloudFormation templates to identify common misconfiguration

starboard-octant-plugin

Octant plugin for viewing Starboard security information

deployments

All Aqua deployments options and aquactl configuration

tfsec-sarif-action

tfsec-action

Vanilla GitHub action to run tfsec

trivy-azure-pipelines-task

An Azure Pipelines Task for trivy

community

Aqua Security's open source community

harbor-scanner-aqua

Aqua Enterprise scanner as a plug-in vulnerability scanner in the Harbor registry

go-version

A Go library for parsing and verifying versions and version constraints.

aqua-operator

The aqua-operator is a group of controllers that runs within a Kubernetes or Openshift cluster that provides a means to deploy and manage Aqua Security cluster and Components.

vscode-tfsec

vscode extension for tfsec

terraform-provider-aquasec

trivy-operator-lens-extension

https://github.com/aquasecurity/trivy-operator

trivy-java-db

trivy-kubernetes

Trivy kubernetes library

trivy-plugin-kubectl

A Trivy plugin that scans the images of a kubernetes resource

trivy-plugin-referrer

Trivy plugin for OCI referrers

trivy-enforcer

[EXPERIMENTAL] Kubernetes Operator for Image Assurance

chain-bench-action

trivy-checks

aqua-aws

The repository not supported any more. Please use this one https://github.com/aquasecurity/deployments

trivy-docker-extension

Docker Desktop Extension for Trivy

starboard-operator

The Starboard Operator has moved to the main Starboard repo, and this one is being retired

saas-terraform-connection

Terraform modules for CloudSploit Scanner

trivy-ci-test

saas-api-samples

Sample code snippets for consuming the CloudSploit API

circleci-orb-microscanner

Enables scanning of docker builds in CircleCi for OS package vulnerabilities.

trivy-pipe

Bitbucket Pipe for running Trivy in a Pipeline

windows-bench

Checks whether a Windows server according to security best practices as defined in the CIS Distribution-Independent Windows Benchmark

vim-tfsec

List your tfsec issues in the QuickFix window with this plugin.

helm-charts

Aqua Open Source Helm Chart Repository

vim-trivy

Vim Plugin for Trivy

trivy-plugin-aqua

binfinder

Find binary files not installed through package manager

tracee-tester

This is a spin-off from Tracee project responsible for generating the docker image that tests open-source signatures.

gobard

Unofficial Golang API for Bard Chat.

trivy-sarif-demo

go-git-pr-commenter

library for adding comments to git PRs

cloud-metadata

Common metadata repository for CSPM and TFSec checks

tracee-test-kernels

Kernels for testing tracee CO-RE feature

bench-common

Common code for hardening benchmarks

aws-security-hub-plugin

Aqua Security AWS Security Hub plugin

trivy-repo

deb/rpm repository for Trivy

aqua-dash

Sample Aqua CSP dashboard

scan-cve-2018-8115

pipeline-enforcer-action

intellij-trivy

Trivy Plugin for the JetBrains family of IDEs

go-pep440-version

A golang library for parsing PEP 440 compliant Python versions

build-security-action

GitHub Action for Aqua Build Security

go-npm-version

A golang library for parsing npm versions

amazon-eks-devsecops

trivy-plugin-attest

Publish SBOM attestation

tfsec-azure-pipelines-task

An Azure DevOps Task for tfsec

trivy-iac

trivy-module-wordpress

Trivy example module for WordPress

saas-integrations

CloudSploit third-party integrations

reportgen

PDF reports for Aqua CSP image and host vulnerabilities

avd-generator

Generator component for AVD

testdocker

Test utilities for Docker Engine/Registry

secfixes-tracker

Forked from https://gitlab.alpinelinux.org/kaniini/secfixes-tracker

starboard-aqua-csp-webhook

The image scan results webhook configurable in Aqua CSP management console to integrate with the Starboard tool kit.

trivy-test-images

Test images for Trivy

homebrew-trivy